--- /dev/null
+Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.8
+diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.4 squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.5
+*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.8:1.7.2.4 Wed Feb 18 09:15:52 2004
+--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.8 Tue Mar 2 02:13:29 2004
+***************
+*** 132,137 ****
+--- 132,143 ----
+ .BI -t search_timeout
+ Specify time limit on LDAP search operations
+ .
++ .TP
++ .BU -d
++ Debug mode where each step taken will get reported in detail.
++ Useful for understanding what goes wrong if the results is
++ not what is expected.
++ .
+ .SH EXAMPLES
+ For directories using the RFC2307 layout with a single domain, all
+ you need to specify is usually the base DN under where your users
+Index: squid/helpers/basic_auth/LDAP/squid_ldap_auth.c
+diff -c squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.8 squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.10
+*** squid/helpers/basic_auth/LDAP/squid_ldap_auth.c:1.21.2.8 Mon Jan 5 06:12:11 2004
+--- squid/helpers/basic_auth/LDAP/squid_ldap_auth.c Thu Mar 4 02:37:38 2004
+***************
+*** 30,35 ****
+--- 30,39 ----
+ * or (at your option) any later version.
+ *
+ * Changes:
++ * 2004-03-01: Henrik Nordstrom <hno@squid-cache.org>
++ * - corrected building of search filters to escape
++ * unsafe input
++ * - -d option for "debug" like squid_ldap_group
+ * 2004-01-05: Henrik Nordstrom <hno@squid-cache.org>
+ * - Corrected TLS mode
+ * 2003-03-01: David J N Begley
+***************
+*** 95,100 ****
+--- 99,105 ----
+ #endif
+ static int connect_timeout = 0;
+ static int timelimit = LDAP_NO_LIMIT;
++ static int debug = 0;
+
+ /* Added for TLS support and version 3 */
+ static int use_tls = 0;
+***************
+*** 208,213 ****
+--- 213,219 ----
+ case 'R':
+ case 'z':
+ case 'Z':
++ case 'd':
+ break;
+ default:
+ if (strlen(argv[1]) > 2) {
+***************
+*** 333,338 ****
+--- 339,347 ----
+ use_tls = 1;
+ break;
+ #endif
++ case 'd':
++ debug++;
++ break;
+ default:
+ fprintf(stderr, PROGRAM_NAME ": ERROR: Unknown command line option '%c'\n", option);
+ exit(1);
+***************
+*** 478,483 ****
+--- 487,520 ----
+ }
+
+ static int
++ ldap_escape_value(char *escaped, int size, const char *src)
++ {
++ int n = 0;
++ while (size > 4 && *src) {
++ switch(*src) {
++ case '*':
++ case '(':
++ case ')':
++ case '\\':
++ n += 3;
++ size -= 3;
++ if (size > 0) {
++ *escaped++ = '\\';
++ snprintf(escaped, 3, "%02x", (unsigned char)*src++);
++ escaped+=2;
++ }
++ break;
++ default:
++ *escaped++ = *src++;
++ n++;
++ size--;
++ }
++ }
++ *escaped = '\0';
++ return n;
++ }
++
++ static int
+ checkLDAP(LDAP * ld, const char *userid, const char *password)
+ {
+ char dn[256];
+***************
+*** 490,495 ****
+--- 527,533 ----
+ }
+ if (searchfilter) {
+ char filter[256];
++ char escaped_login[256];
+ LDAPMessage *res = NULL;
+ LDAPMessage *entry;
+ char *searchattr[] =
+***************
+*** 497,502 ****
+--- 535,541 ----
+ char *userdn;
+ int rc;
+
++ ldap_escape_value(escaped_login, sizeof(escaped_login), userid);
+ if (binddn) {
+ rc = ldap_simple_bind_s(ld, binddn, bindpasswd);
+ if (rc != LDAP_SUCCESS) {
+***************
+*** 504,510 ****
+ return 1;
+ }
+ }
+! snprintf(filter, sizeof(filter), searchfilter, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid, userid);
+ rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res);
+ if (rc != LDAP_SUCCESS) {
+ if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
+--- 543,551 ----
+ return 1;
+ }
+ }
+! snprintf(filter, sizeof(filter), searchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
+! if (debug)
+! fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, basedn);
+ rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res);
+ if (rc != LDAP_SUCCESS) {
+ if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
+***************
+*** 541,546 ****
+--- 582,589 ----
+ snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
+ }
+
++ if (debug)
++ fprintf(stderr, "attempting to bind to user '%s'\n", dn);
+ if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS)
+ return 1;
+
+Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.8
+diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.4
+*** squid/helpers/external_acl/ldap_group/squid_ldap_group.8:1.1.2.3 Wed Nov 19 17:41:37 2003
+--- squid/helpers/external_acl/ldap_group/squid_ldap_group.8 Tue Mar 2 02:13:29 2004
+***************
+*** 138,143 ****
+--- 138,149 ----
+ .BI -S
+ Strip NT domain name component from user names (/ or \\ separated)
+ .
++ .TP
++ .BU -d
++ Debug mode where each step taken will get reported in detail.
++ Useful for understanding what goes wrong if the results is
++ not what is expected.
++
+ .SH SQUID CONFIGURATION
+ .
+ This helper is intended to be used as a external_acl_type helper from
+Index: squid/helpers/external_acl/ldap_group/squid_ldap_group.c
+diff -c squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.16 squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.17
+*** squid/helpers/external_acl/ldap_group/squid_ldap_group.c:1.2.2.16 Mon Feb 9 10:04:56 2004
+--- squid/helpers/external_acl/ldap_group/squid_ldap_group.c Tue Mar 2 02:13:29 2004
+***************
+*** 229,234 ****
+--- 229,235 ----
+ case 'R':
+ case 'z':
+ case 'Z':
++ case 'd':
+ case 'g':
+ case 'S':
+ break;
+***************
+*** 558,564 ****
+ size -= 3;
+ if (size > 0) {
+ *escaped++ = '\\';
+! snprintf(escaped, 3, "%02x", (int)*src++);
+ escaped+=2;
+ }
+ break;
+--- 559,565 ----
+ size -= 3;
+ if (size > 0) {
+ *escaped++ = '\\';
+! snprintf(escaped, 3, "%02x", (unsigned char)*src++);
+ escaped+=2;
+ }
+ break;